···11-{
22- profiles,
33- ...
44-}:
55-{
11+{profiles, ...}: {
62 # build with: `bud build bootstrap bootstrapIso`
73 # reachable on the local link via ssh root@fe80::47%eno1
84 # where 'eno1' is replaced by your own machine's network
···1612 ];
1713 boot.loader.systemd-boot.enable = true;
1814 # will be overridden by the bootstrapIso instrumentation
1919- fileSystems."/" = { device = "/dev/disk/by-label/nixos"; };
1515+ fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
2016}
···66with lib; let
77 inherit (builtins) readFile fetchurl;
88 cfg = config.security.mitigations;
99- cmdline =
1010- ''
1111- ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';
99+ cmdline = ''
1010+ ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';
1211in {
1312 options = {
1413 security.mitigations.disable =
···1615 {
1716 type = types.bool;
1817 default = false;
1919- description =
2020- ''
2121- Whether to disable spectre and meltdown mitigations in the kernel. Do
2222- not use this in mission critical deployments, or on any machine you do
2323- not have physical access to.
2424- '';
1818+ description = ''
1919+ Whether to disable spectre and meltdown mitigations in the kernel. Do
2020+ not use this in mission critical deployments, or on any machine you do
2121+ not have physical access to.
2222+ '';
2523 };
2624 };
2727- config = mkIf cfg.disable { boot.kernelParams = splitString " " cmdline; };
2525+ config = mkIf cfg.disable {boot.kernelParams = splitString " " cmdline;};
2826}